NetworkFirewall / Client / delete_rule_group
delete_rule_group#
- NetworkFirewall.Client.delete_rule_group(**kwargs)#
Deletes the specified RuleGroup.
See also: AWS API Documentation
Request Syntax
response = client.delete_rule_group( RuleGroupName='string', RuleGroupArn='string', Type='STATELESS'|'STATEFUL' )
- Parameters:
RuleGroupName (string) –
The descriptive name of the rule group. You can’t change the name of a rule group after you create it.
You must specify the ARN or the name, and you can specify both.
RuleGroupArn (string) –
The Amazon Resource Name (ARN) of the rule group.
You must specify the ARN or the name, and you can specify both.
Type (string) –
Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.
Note
This setting is required for requests that do not include the
RuleGroupARN
.
- Return type:
dict
- Returns:
Response Syntax
{ 'RuleGroupResponse': { 'RuleGroupArn': 'string', 'RuleGroupName': 'string', 'RuleGroupId': 'string', 'Description': 'string', 'Type': 'STATELESS'|'STATEFUL', 'Capacity': 123, 'RuleGroupStatus': 'ACTIVE'|'DELETING'|'ERROR', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'ConsumedCapacity': 123, 'NumberOfAssociations': 123, 'EncryptionConfiguration': { 'KeyId': 'string', 'Type': 'CUSTOMER_KMS'|'AWS_OWNED_KMS_KEY' }, 'SourceMetadata': { 'SourceArn': 'string', 'SourceUpdateToken': 'string' }, 'SnsTopic': 'string', 'LastModifiedTime': datetime(2015, 1, 1), 'AnalysisResults': [ { 'IdentifiedRuleIds': [ 'string', ], 'IdentifiedType': 'STATELESS_RULE_FORWARDING_ASYMMETRICALLY'|'STATELESS_RULE_CONTAINS_TCP_FLAGS', 'AnalysisDetail': 'string' }, ] } }
Response Structure
(dict) –
RuleGroupResponse (dict) –
The high-level properties of a rule group. This, along with the RuleGroup, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
RuleGroupArn (string) –
The Amazon Resource Name (ARN) of the rule group.
Note
If this response is for a create request that had
DryRun
set toTRUE
, then this ARN is a placeholder that isn’t attached to a valid resource.RuleGroupName (string) –
The descriptive name of the rule group. You can’t change the name of a rule group after you create it.
RuleGroupId (string) –
The unique identifier for the rule group.
Description (string) –
A description of the rule group.
Type (string) –
Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.
Capacity (integer) –
The maximum operating resources that this rule group can use. Rule group capacity is fixed at creation. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.
You can retrieve the capacity that would be required for a rule group before you create the rule group by calling CreateRuleGroup with
DryRun
set toTRUE
.RuleGroupStatus (string) –
Detailed information about the current status of a rule group.
Tags (list) –
The key:value pairs to associate with the resource.
(dict) –
A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as “environment”) and the tag value represents a specific value within that category (such as “test,” “development,” or “production”). You can add up to 50 tags to each Amazon Web Services resource.
Key (string) –
The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as “customer.” Tag keys are case-sensitive.
Value (string) –
The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as “companyA” or “companyB.” Tag values are case-sensitive.
ConsumedCapacity (integer) –
The number of capacity units currently consumed by the rule group rules.
NumberOfAssociations (integer) –
The number of firewall policies that use this rule group.
EncryptionConfiguration (dict) –
A complex type that contains the Amazon Web Services KMS encryption configuration settings for your rule group.
KeyId (string) –
The ID of the Amazon Web Services Key Management Service (KMS) customer managed key. You can use any of the key identifiers that KMS supports, unless you’re using a key that’s managed by another account. If you’re using a key managed by another account, then specify the key ARN. For more information, see Key ID in the Amazon Web Services KMS Developer Guide.
Type (string) –
The type of Amazon Web Services KMS key to use for encryption of your Network Firewall resources.
SourceMetadata (dict) –
A complex type that contains metadata about the rule group that your own rule group is copied from. You can use the metadata to track the version updates made to the originating rule group.
SourceArn (string) –
The Amazon Resource Name (ARN) of the rule group that your own rule group is copied from.
SourceUpdateToken (string) –
The update token of the Amazon Web Services managed rule group that your own rule group is copied from. To determine the update token for the managed rule group, call DescribeRuleGroup.
SnsTopic (string) –
The Amazon resource name (ARN) of the Amazon Simple Notification Service SNS topic that’s used to record changes to the managed rule group. You can subscribe to the SNS topic to receive notifications when the managed rule group is modified, such as for new versions and for version expiration. For more information, see the Amazon Simple Notification Service Developer Guide..
LastModifiedTime (datetime) –
The last time that the rule group was changed.
AnalysisResults (list) –
The list of analysis results for
AnalyzeRuleGroup
. If you setAnalyzeRuleGroup
toTRUE
in CreateRuleGroup, UpdateRuleGroup, or DescribeRuleGroup, Network Firewall analyzes the rule group and identifies the rules that might adversely effect your firewall’s functionality. For example, if Network Firewall detects a rule that’s routing traffic asymmetrically, which impacts the service’s ability to properly process traffic, the service includes the rule in the list of analysis results.(dict) –
The analysis result for Network Firewall’s stateless rule group analyzer. Every time you call CreateRuleGroup, UpdateRuleGroup, or DescribeRuleGroup on a stateless rule group, Network Firewall analyzes the stateless rule groups in your account and identifies the rules that might adversely effect your firewall’s functionality. For example, if Network Firewall detects a rule that’s routing traffic asymmetrically, which impacts the service’s ability to properly process traffic, the service includes the rule in a list of analysis results.
IdentifiedRuleIds (list) –
The priority number of the stateless rules identified in the analysis.
(string) –
IdentifiedType (string) –
The types of rule configurations that Network Firewall analyzes your rule groups for. Network Firewall analyzes stateless rule groups for the following types of rule configurations:
STATELESS_RULE_FORWARDING_ASYMMETRICALLY
Cause: One or more stateless rules with the actionpass
orforward
are forwarding traffic asymmetrically. Specifically, the rule’s set of source IP addresses or their associated port numbers, don’t match the set of destination IP addresses or their associated port numbers. To mitigate: Make sure that there’s an existing return path. For example, if the rule allows traffic from source 10.1.0.0/24 to destination 20.1.0.0/24, you should allow return traffic from source 20.1.0.0/24 to destination 10.1.0.0/24.STATELESS_RULE_CONTAINS_TCP_FLAGS
Cause: At least one stateless rule with the actionpass
orforward
contains TCP flags that are inconsistent in the forward and return directions. To mitigate: Prevent asymmetric routing issues caused by TCP flags by following these actions:Remove unnecessary TCP flag inspections from the rules.
If you need to inspect TCP flags, check that the rules correctly account for changes in TCP flags throughout the TCP connection cycle, for example
SYN
andACK
flags used in a 3-way TCP handshake.
AnalysisDetail (string) –
Provides analysis details for the identified rule.
Exceptions