Amazon Firewall Manager

AWS Firewall Manager API

The AWS Firewall Manager API provides programmatic access to create and manage security policies, compliance status, and protection configurations for AWS WAF, Shield, and VPC security groups across your organization.

Documentation GitHub OpenAPI

Documentation

https://docs.aws.amazon.com/fms/latest/APIReference/Welcome.html

https://aws.amazon.com/firewall-manager/getting-started/

https://docs.aws.amazon.com/fms/latest/APIReference/Welcome.html

Specifications

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/openapi/amazon-firewall-manager-openapi.yml

Examples

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/examples/amazon-firewall-manager-policy-example.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/examples/amazon-firewall-manager-compliance-violator-example.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/examples/amazon-firewall-manager-resource-set-example.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/examples/amazon-firewall-manager-security-service-policy-data-example.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/examples/amazon-firewall-manager-tag-example.json

Schemas & Data

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-schema/amazon-firewall-manager-policy-schema.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-schema/amazon-firewall-manager-compliance-violator-schema.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-schema/amazon-firewall-manager-resource-set-schema.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-schema/amazon-firewall-manager-security-service-policy-data-schema.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-schema/amazon-firewall-manager-tag-schema.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-structure/amazon-firewall-manager-policy-structure.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-structure/amazon-firewall-manager-compliance-violator-structure.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-structure/amazon-firewall-manager-resource-set-structure.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-structure/amazon-firewall-manager-security-service-policy-data-structure.json

https://raw.githubusercontent.com/api-evangelist/amazon-firewall-manager/refs/heads/main/json-structure/amazon-firewall-manager-tag-structure.json

Other Resources

https://aws.amazon.com/firewall-manager/pricing/

https://aws.amazon.com/firewall-manager/faqs/

OpenAPI Specification

openapi: 3.1.0
info:
  title: AWS Firewall Manager API
  description: AWS Firewall Manager is a security management service that enables you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.
  version: '2018-01-01'
  contact:
    name: AWS Support
    url: https://aws.amazon.com/premiumsupport/
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
servers:
- url: https://fms.{region}.amazonaws.com
  variables:
    region:
      default: us-east-1
security:
- awsSigV4: []
tags:
- name: Policies
  description: Firewall Manager security policies
- name: Admin Accounts
  description: Firewall Manager administrator account management
- name: Member Accounts
  description: Member account association
- name: Compliance
  description: Compliance status and violations
- name: Resources
  description: Resource sets and tags
- name: Protocols
  description: Protocol and resource tag lists
paths:
  /fms/2018-01-01/policies:
    get:
      operationId: listPolicies
      summary: List Policies
      description: Returns an array of PolicySummary objects.
      tags:
      - Policies
      parameters:
      - name: maxResults
        in: query
        schema:
          type: integer
        description: Maximum number of policies to return.
      - name: nextToken
        in: query
        schema:
          type: string
        description: Pagination token.
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListPoliciesResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    PolicyList:
                    - &id001
                      PolicyId: p-abc12345
                      PolicyName: WAF-Policy-Production
                      PolicyUpdateToken: 1:abc123
                      SecurityServicePolicyData:
                        Type: WAF
                      ResourceType: AWS::ElasticLoadBalancingV2::LoadBalancer
                      ExcludeResourceTags: false
                      RemediationEnabled: true
                      PolicyArn: arn:aws:fms:us-east-1:123456789012:policy/p-abc12345
                    NextToken:
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
    post:
      operationId: putPolicy
      summary: Put Policy
      description: Creates or updates an AWS Firewall Manager policy.
      tags:
      - Policies
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PutPolicyRequest'
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PutPolicyResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    Policy: *id001
                    PolicyArn: arn:aws:fms:us-east-1:123456789012:policy/p-abc12345
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /fms/2018-01-01/policies/{policyId}:
    get:
      operationId: getPolicy
      summary: Get Policy
      description: Returns information about the specified AWS Firewall Manager policy.
      tags:
      - Policies
      parameters:
      - name: policyId
        in: path
        required: true
        schema:
          type: string
        description: The ID of the policy.
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GetPolicyResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    Policy: *id001
                    PolicyArn: arn:aws:fms:us-east-1:123456789012:policy/p-abc12345
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '404':
          description: Not Found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
    delete:
      operationId: deletePolicy
      summary: Delete Policy
      description: Permanently deletes an AWS Firewall Manager policy.
      tags:
      - Policies
      parameters:
      - name: policyId
        in: path
        required: true
        schema:
          type: string
        description: The ID of the policy.
      - name: deleteAllPolicyResources
        in: query
        schema:
          type: boolean
        description: If True, the request deletes all AWS Firewall Manager-managed internet gateway associations.
      responses:
        '200':
          description: Success
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '404':
          description: Not Found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /fms/2018-01-01/compliance/{policyId}/detail/{memberAccountId}:
    get:
      operationId: getComplianceDetail
      summary: Get Compliance Detail
      description: Returns detailed compliance information about the specified member account.
      tags:
      - Compliance
      parameters:
      - name: policyId
        in: path
        required: true
        schema:
          type: string
        description: The ID of the policy.
      - name: memberAccountId
        in: path
        required: true
        schema:
          type: string
        description: The AWS account ID.
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GetComplianceDetailResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    PolicyComplianceDetail:
                      PolicyId: p-abc12345
                      MemberAccount: '123456789012'
                      Violators: []
                      EvaluationLimitExceeded: false
                      ExpiredAt: '2026-04-19T00:00:00Z'
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '404':
          description: Not Found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /fms/2018-01-01/admin-account:
    get:
      operationId: getAdminAccount
      summary: Get Admin Account
      description: Returns the AWS Organizations master account that is associated with AWS Firewall Manager as the AWS Firewall Manager default administrator.
      tags:
      - Admin Accounts
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GetAdminAccountResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    AdminAccount: '123456789012'
                    RoleStatus: READY
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
    put:
      operationId: associateAdminAccount
      summary: Associate Admin Account
      description: Sets the AWS Firewall Manager administrator account.
      tags:
      - Admin Accounts
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                AdminAccount:
                  type: string
              required:
              - AdminAccount
      responses:
        '200':
          description: Success
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
    delete:
      operationId: disassociateAdminAccount
      summary: Disassociate Admin Account
      description: Disassociates the account that has been set as the AWS Firewall Manager administrator account.
      tags:
      - Admin Accounts
      responses:
        '200':
          description: Success
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /fms/2018-01-01/member-account:
    get:
      operationId: listMemberAccounts
      summary: List Member Accounts
      description: Returns a MemberAccounts object that lists the member accounts in the administrator account's AWS organization.
      tags:
      - Member Accounts
      parameters:
      - name: nextToken
        in: query
        schema:
          type: string
        description: Pagination token.
      - name: maxResults
        in: query
        schema:
          type: integer
        description: Maximum number of accounts to return.
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListMemberAccountsResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    MemberAccounts:
                    - '123456789012'
                    - '234567890123'
                    NextToken:
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /fms/2018-01-01/resource-set:
    put:
      operationId: putResourceSet
      summary: Put Resource Set
      description: Creates or updates a resource set.
      tags:
      - Resources
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PutResourceSetRequest'
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PutResourceSetResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    ResourceSet:
                      Id: rs-abc123
                      Name: MyResourceSet
                      ResourceTypeList:
                      - AWS::ElasticLoadBalancingV2::LoadBalancer
                    ResourceSetArn: arn:aws:fms:us-east-1:123456789012:resource-set/rs-abc123
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /fms/2018-01-01/resource-set/list:
    post:
      operationId: listResourceSets
      summary: List Resource Sets
      description: Returns an array of ResourceSetSummary objects.
      tags:
      - Resources
      requestBody:
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                NextToken:
                  type: string
                MaxResults:
                  type: integer
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListResourceSetsResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    ResourceSets:
                    - Id: rs-abc123
                      Name: MyResourceSet
                    NextToken:
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /fms/2018-01-01/tags/{resourceArn}:
    get:
      operationId: listTagsForResource
      summary: List Tags For Resource
      description: Retrieves the list of tags for the specified AWS resource.
      tags:
      - Resources
      parameters:
      - name: resourceArn
        in: path
        required: true
        schema:
          type: string
        description: The Amazon Resource Name (ARN) of the resource.
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListTagsForResourceResponse'
              examples:
                default:
                  x-microcks-default: true
                  value:
                    TagList:
                    - Key: Environment
                      Value: Production
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
    post:
      operationId: tagResource
      summary: Tag Resource
      description: Adds one or more tags to an AWS resource.
      tags:
      - Resources
      parameters:
      - name: resourceArn
        in: path
        required: true
        schema:
          type: string
        description: The ARN of the resource.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                TagList:
                  type: array
                  items:
                    $ref: '#/components/schemas/Tag'
              required:
              - TagList
      responses:
        '200':
          description: Success
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  securitySchemes:
    awsSigV4:
      type: apiKey
      in: header
      name: Authorization
      description: AWS Signature Version 4 authentication
  schemas:
    Policy:
      type: object
      description: An AWS Firewall Manager policy that defines security rules and which resources are in scope.
      properties:
        PolicyId:
          type: string
        PolicyName:
          type: string
        PolicyUpdateToken:
          type: string
        SecurityServicePolicyData:
          $ref: '#/components/schemas/SecurityServicePolicyData'
        ResourceType:
          type: string
        ResourceTypeList:
          type: array
          items:
            type: string
        ResourceTags:
          type: array
          items:
            $ref: '#/components/schemas/ResourceTag'
        ExcludeResourceTags:
          type: boolean
        RemediationEnabled:
          type: boolean
        PolicyArn:
          type: string
        IncludeMap:
          type: object
          additionalProperties:
            type: array
            items:
              type: string
        ExcludeMap:
          type: object
          additionalProperties:
            type: array
            items:
              type: string
      required:
      - PolicyName
      - SecurityServicePolicyData
      - ResourceType
      - ExcludeResourceTags
      - RemediationEnabled
    SecurityServicePolicyData:
      type: object
      description: Details about the security service used to protect the resources.
      properties:
        Type:
          type: string
          enum:
          - WAF
          - WAFV2
          - SHIELD_ADVANCED
          - SECURITY_GROUPS_COMMON
          - SECURITY_GROUPS_CONTENT_AUDIT
          - SECURITY_GROUPS_USAGE_AUDIT
          - NETWORK_FIREWALL
          - DNS_FIREWALL
          - THIRD_PARTY_FIREWALL
          - IMPORT_NETWORK_FIREWALL
        ManagedServiceData:
          type: string
        PolicyOption:
          type: object
      required:
      - Type
    ResourceTag:
      type: object
      description: A tag used to target resources in scope of a Firewall Manager policy.
      properties:
        Key:
          type: string
        Value:
          type: string
      required:
      - Key
    ComplianceViolator:
      type: object
      description: A resource that is not in compliance with the specified AWS Firewall Manager policy.
      properties:
        ResourceId:
          type: string
        ViolationReason:
          type: string
        ResourceType:
          type: string
        Metadata:
          type: object
          additionalProperties:
            type: string
    ResourceSet:
      type: object
      description: A set of resources to include in a Firewall Manager policy.
      properties:
        Id:
          type: string
        Name:
          type: string
        Description:
          type: string
        UpdateToken:
          type: string
        ResourceTypeList:
          type: array
          items:
            type: string
        LastUpdateTime:
          type: string
          format: date-time
        ResourceSetStatus:
          type: string
          enum:
          - ACTIVE
          - OUT_OF_ADMIN_SCOPE
      required:
      - Name
      - ResourceTypeList
    Tag:
      type: object
      description: A collection of key-value pairs.
      properties:
        Key:
          type: string
        Value:
          type: string
      required:
      - Key
      - Value
    ErrorResponse:
      type: object
      description: Standard error response from the Firewall Manager API.
      properties:
        Message:
          type: string
        Code:
          type: string
    ListPoliciesResponse:
      type: object
      properties:
        PolicyList:
          type: array
          items:
            $ref: '#/components/schemas/Policy'
        NextToken:
          type: string
    PutPolicyRequest:
      type: object
      required:
      - Policy
      properties:
        Policy:
          $ref: '#/components/schemas/Policy'
        TagList:
          type: array
          items:
            $ref: '#/components/schemas/Tag'
    PutPolicyResponse:
      type: object
      properties:
        Policy:
          $ref: '#/components/schemas/Policy'
        PolicyArn:
          type: string
    GetPolicyResponse:
      type: object
      properties:
        Policy:
          $ref: '#/components/schemas/Policy'
        PolicyArn:
          type: string
    GetComplianceDetailResponse:
      type: object
      properties:
        PolicyComplianceDetail:
          type: object
    GetAdminAccountResponse:
      type: object
      properties:
        AdminAccount:
          type: string
        RoleStatus:
          type: string
    ListMemberAccountsResponse:
      type: object
      properties:
        MemberAccounts:
          type: array
          items:
            type: string
        NextToken:
          type: string
    PutResourceSetRequest:
      type: object
      required:
      - ResourceSet
      properties:
        ResourceSet:
          $ref: '#/components/schemas/ResourceSet'
        TagList:
          type: array
          items:
            $ref: '#/components/schemas/Tag'
    PutResourceSetResponse:
      type: object
      properties:
        ResourceSet:
          $ref: '#/components/schemas/ResourceSet'
        ResourceSetArn:
          type: string
    ListResourceSetsResponse:
      type: object
      properties:
        ResourceSets:
          type: array
          items:
            $ref: '#/components/schemas/ResourceSet'
        NextToken:
          type: string
    ListTagsForResourceResponse:
      type: object
      properties:
        TagList:
          type: array
          items:
            $ref: '#/components/schemas/Tag'