Retrieves violations for a resource based on the specified AWS Firewall Manager policy and AWS account.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
get-violation-details
--policy-id <value>
--member-account <value>
--resource-id <value>
--resource-type <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--policy-id
(string)
The ID of the AWS Firewall Manager policy that you want the details for. This currently only supports security group content audit policies.
--member-account
(string)
The AWS account ID that you want the details for.
--resource-id
(string)
The ID of the resource that has violations.
--resource-type
(string)
The resource type. This is in the format shown in the AWS Resource Types Reference . Supported resource types are:
AWS::EC2::Instance
,AWS::EC2::NetworkInterface
,AWS::EC2::SecurityGroup
,AWS::NetworkFirewall::FirewallPolicy
, andAWS::EC2::Subnet
.
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
ViolationDetail -> (structure)
Violation detail for a resource.
PolicyId -> (string)
The ID of the AWS Firewall Manager policy that the violation details were requested for.
MemberAccount -> (string)
The AWS account that the violation details were requested for.
ResourceId -> (string)
The resource ID that the violation details were requested for.
ResourceType -> (string)
The resource type that the violation details were requested for.
ResourceViolations -> (list)
List of violations for the requested resource.
(structure)
Violation detail based on resource type.
AwsVPCSecurityGroupViolation -> (structure)
Violation details for security groups.
ViolationTarget -> (string)
The security group rule that is being evaluated.
ViolationTargetDescription -> (string)
A description of the security group that violates the policy.
PartialMatches -> (list)
List of rules specified in the security group of the AWS Firewall Manager policy that partially match the
ViolationTarget
rule.(structure)
The reference rule that partially matches the
ViolationTarget
rule and violation reason.Reference -> (string)
The reference rule from the master security group of the AWS Firewall Manager policy.
TargetViolationReasons -> (list)
The violation reason.
(string)
PossibleSecurityGroupRemediationActions -> (list)
Remediation options for the rule specified in the
ViolationTarget
.(structure)
Remediation option for the rule specified in the
ViolationTarget
.RemediationActionType -> (string)
The remediation action that will be performed.
Description -> (string)
Brief description of the action that will be performed.
RemediationResult -> (structure)
The final state of the rule specified in the
ViolationTarget
after it is remediated.IPV4Range -> (string)
The IPv4 ranges for the security group rule.
IPV6Range -> (string)
The IPv6 ranges for the security group rule.
PrefixListId -> (string)
The ID of the prefix list for the security group rule.
Protocol -> (string)
The IP protocol name (
tcp
,udp
,icmp
,icmpv6
) or number.FromPort -> (long)
The start of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of
-1
indicates all ICMP/ICMPv6 types.ToPort -> (long)
The end of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of
-1
indicates all ICMP/ICMPv6 codes.IsDefaultAction -> (boolean)
Indicates if the current action is the default action.
AwsEc2NetworkInterfaceViolation -> (structure)
Violation details for network interface.
ViolationTarget -> (string)
The resource ID of the network interface.
ViolatingSecurityGroups -> (list)
List of security groups that violate the rules specified in the master security group of the AWS Firewall Manager policy.
(string)
AwsEc2InstanceViolation -> (structure)
Violation details for an EC2 instance.
ViolationTarget -> (string)
The resource ID of the EC2 instance.
AwsEc2NetworkInterfaceViolations -> (list)
Violations for network interfaces associated with the EC2 instance.
(structure)
Violations for network interfaces associated with an EC2 instance.
ViolationTarget -> (string)
The resource ID of the network interface.
ViolatingSecurityGroups -> (list)
List of security groups that violate the rules specified in the master security group of the AWS Firewall Manager policy.
(string)
NetworkFirewallMissingFirewallViolation -> (structure)
Violation detail for an Network Firewall policy that indicates that a subnet has no Firewall Manager managed firewall in its VPC.
ViolationTarget -> (string)
The ID of the AWS Network Firewall or VPC resource that’s in violation.
VPC -> (string)
The resource ID of the VPC associated with a violating subnet.
AvailabilityZone -> (string)
The Availability Zone of a violating subnet.
TargetViolationReason -> (string)
The reason the resource has this violation, if one is available.
NetworkFirewallMissingSubnetViolation -> (structure)
Violation detail for an Network Firewall policy that indicates that an Availability Zone is missing the expected Firewall Manager managed subnet.
ViolationTarget -> (string)
The ID of the AWS Network Firewall or VPC resource that’s in violation.
VPC -> (string)
The resource ID of the VPC associated with a violating subnet.
AvailabilityZone -> (string)
The Availability Zone of a violating subnet.
TargetViolationReason -> (string)
The reason the resource has this violation, if one is available.
NetworkFirewallMissingExpectedRTViolation -> (structure)
Violation detail for an Network Firewall policy that indicates that a subnet is not associated with the expected Firewall Manager managed route table.
ViolationTarget -> (string)
The ID of the AWS Network Firewall or VPC resource that’s in violation.
VPC -> (string)
The resource ID of the VPC associated with a violating subnet.
AvailabilityZone -> (string)
The Availability Zone of a violating subnet.
CurrentRouteTable -> (string)
The resource ID of the current route table that’s associated with the subnet, if one is available.
ExpectedRouteTable -> (string)
The resource ID of the route table that should be associated with the subnet.
NetworkFirewallPolicyModifiedViolation -> (structure)
Violation detail for an Network Firewall policy that indicates that a firewall policy in an individual account has been modified in a way that makes it noncompliant. For example, the individual account owner might have deleted a rule group, changed the priority of a stateless rule group, or changed a policy default action.
ViolationTarget -> (string)
The ID of the AWS Network Firewall or VPC resource that’s in violation.
CurrentPolicyDescription -> (structure)
The policy that’s currently in use in the individual account.
StatelessRuleGroups -> (list)
The stateless rule groups that are used in the Network Firewall firewall policy.
(structure)
AWS Network Firewall stateless rule group, used in a NetworkFirewallPolicyDescription .
RuleGroupName -> (string)
The name of the rule group.
ResourceId -> (string)
The resource ID of the rule group.
Priority -> (integer)
The priority of the rule group. AWS Network Firewall evaluates the stateless rule groups in a firewall policy starting from the lowest priority setting.
StatelessDefaultActions -> (list)
The actions to take on packets that don’t match any of the stateless rule groups.
(string)
StatelessFragmentDefaultActions -> (list)
The actions to take on packet fragments that don’t match any of the stateless rule groups.
(string)
StatelessCustomActions -> (list)
Names of custom actions that are available for use in the stateless default actions settings.
(string)
StatefulRuleGroups -> (list)
The stateful rule groups that are used in the Network Firewall firewall policy.
(structure)
AWS Network Firewall stateful rule group, used in a NetworkFirewallPolicyDescription .
RuleGroupName -> (string)
The name of the rule group.
ResourceId -> (string)
The resource ID of the rule group.
ExpectedPolicyDescription -> (structure)
The policy that should be in use in the individual account in order to be compliant.
StatelessRuleGroups -> (list)
The stateless rule groups that are used in the Network Firewall firewall policy.
(structure)
AWS Network Firewall stateless rule group, used in a NetworkFirewallPolicyDescription .
RuleGroupName -> (string)
The name of the rule group.
ResourceId -> (string)
The resource ID of the rule group.
Priority -> (integer)
The priority of the rule group. AWS Network Firewall evaluates the stateless rule groups in a firewall policy starting from the lowest priority setting.
StatelessDefaultActions -> (list)
The actions to take on packets that don’t match any of the stateless rule groups.
(string)
StatelessFragmentDefaultActions -> (list)
The actions to take on packet fragments that don’t match any of the stateless rule groups.
(string)
StatelessCustomActions -> (list)
Names of custom actions that are available for use in the stateless default actions settings.
(string)
StatefulRuleGroups -> (list)
The stateful rule groups that are used in the Network Firewall firewall policy.
(structure)
AWS Network Firewall stateful rule group, used in a NetworkFirewallPolicyDescription .
RuleGroupName -> (string)
The name of the rule group.
ResourceId -> (string)
The resource ID of the rule group.
ResourceTags -> (list)
The
ResourceTag
objects associated with the resource.(structure)
A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as “environment”) and the tag value represents a specific value within that category (such as “test,” “development,” or “production”). You can add up to 50 tags to each AWS resource.
Key -> (string)
Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as “customer.” Tag keys are case-sensitive.
Value -> (string)
Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as “companyA” or “companyB.” Tag values are case-sensitive.
ResourceDescription -> (string)
Brief description for the requested resource.