AWS Network Firewall Update: Network Firewall now introduces Reject and Alert action support for stateful domain list rule groups, providing customers with more granular control over their network traffic.

AWS · AWS · commit 64ae5932407c · 2025-09-25T18:09:43.000Z
diff --git a/.changes/next-release/feature-AWSNetworkFirewall-78837f1.json b/.changes/next-release/feature-AWSNetworkFirewall-78837f1.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS Network Firewall",
+    "contributor": "",
+    "description": "Network Firewall now introduces Reject and Alert action support for stateful domain list rule groups, providing customers with more granular control over their network traffic."
+}
diff --git a/services/networkfirewall/src/main/resources/codegen-resources/service-2.json b/services/networkfirewall/src/main/resources/codegen-resources/service-2.json
@@ -2856,7 +2856,9 @@
       "type":"string",
       "enum":[
         "ALLOWLIST",
-        "DENYLIST"
+        "DENYLIST",
+        "REJECTLIST",
+        "ALERTLIST"
       ]
     },
     "GetAnalysisReportResultsRequest":{
@@ -4082,7 +4084,7 @@
         },
         "GeneratedRulesType":{
           "shape":"GeneratedRulesType",
-          "documentation":"<p>Whether you want to allow or deny access to the domains in your target list.</p>"
+          "documentation":"<p>Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list.</p> <note> <p>When logging is enabled and you choose Alert, traffic that matches the domain specifications generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.</p> </note>"
         }
       },
       "documentation":"<p>Stateful inspection criteria for a domain list rule group. </p> <p>For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.</p> <p>By default, Network Firewall domain list inspection only includes traffic coming from the VPC where you deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set the <code>HOME_NET</code> rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges. For more information, see <a>RuleVariables</a> in this guide and <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html\">Stateful domain list rule groups in Network Firewall</a> in the <i>Network Firewall Developer Guide</i>.</p>"
