aws · clueleaf · Sep 9, 2023 · Sep 9, 2023 · Sep 9, 2023 · Sep 9, 2023
diff --git a/...ot/asset.b7c985ebfbf370ce93607a33c3851adc0b2b6a530f4c06be487e3c2ec3c06c39.bundle/index.js b/...ot/asset.b7c985ebfbf370ce93607a33c3851adc0b2b6a530f4c06be487e3c2ec3c06c39.bundle/index.js
diff --git a/packages/@aws-cdk/aws-route53resolver-alpha/README.md b/packages/@aws-cdk/aws-route53resolver-alpha/README.md
@@ -51,17 +51,27 @@ const assetList = new route53resolver.FirewallDomainList(this, 'AssetList', {
 
 The file must be a text file and must contain a single domain per line.
 
-Use `FirewallDomainList.fromFirewallDomainListId()` to import an existing or [AWS managed domain list](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html):
+Use `FirewallDomainList.fromFirewallDomainListId()` to import an existing domain list:
 
 ```ts
-// AWSManagedDomainsMalwareDomainList in us-east-1
 const malwareList = route53resolver.FirewallDomainList.fromFirewallDomainListId(
   this,
   'Malware',
-  'rslvr-fdl-2c46f2ecbfec4dcc',
+  'rslvr-fdl-123456789',
 );
 ```
 
+You can use `FirewallManagedDomainList` instead to import an [AWS managed domain list](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html):
+
+```ts
+// AWSManagedDomainsMalwareDomainList
+const malwareList = new route53resolver.FirewallManagedDomainList(this, 'MalwareList', {
+  managedDomainList: route53resolver.ManagedDomain.MALWARE_DOMAIN_LIST,
+});
+```
+
+AWS managed domain lists are region-specific.
+
 ### Rule group
 
 Create a rule group:

diff --git a/packages/@aws-cdk/aws-route53resolver-alpha/lib/firewall-managed-domain-list.ts b/packages/@aws-cdk/aws-route53resolver-alpha/lib/firewall-managed-domain-list.ts
@@ -0,0 +1,82 @@
+import * as path from 'path';
+import { Resource, CustomResourceProvider, CustomResource, CustomResourceProviderRuntime } from 'aws-cdk-lib/core';
+import { Construct } from 'constructs';
+import { IFirewallDomainList } from './firewall-domain-list';
+
+/**
+ * Properties for a Firewall Managed Domain List
+ */
+export interface FirewallManagedDomainListProps {
+  /**
+   * The managed domain list
+   */
+  readonly managedDomainList: ManagedDomain;
+}
+
+/**
+ * A Firewall Managed Domain List
+ *
+ * @resource AWS::CloudFormation::CustomResource
+ */
+export class FirewallManagedDomainList extends Resource implements IFirewallDomainList {
+  public readonly firewallDomainListId: string;
+
+  constructor(scope: Construct, id: string, props: FirewallManagedDomainListProps) {
+    super(scope, id);
+
+    const GET_MANAGED_DOMAIN_LIST_TYPE = 'Custom::Route53ResolverManagedDomainList';
+    const provider = CustomResourceProvider.getOrCreateProvider(this, GET_MANAGED_DOMAIN_LIST_TYPE, {
+      codeDirectory: path.join(__dirname, '..', '..',
+        'custom-resource-handlers', 'dist', 'aws-route53resolver-alpha', 'managed-domain-list-handler'),
+      useCfnResponseWrapper: false,
+      runtime: CustomResourceProviderRuntime.NODEJS_18_X,
+      description: 'Lambda function for getting route 53 resolver managed domain list ID',
+      policyStatements: [{
+        Effect: 'Allow',
+        Action: ['route53resolver:ListFirewallDomainLists'],
+        Resource: '*',
+      }],
+    });
+
+    const result = new CustomResource(this, 'GetDomainListCustomResource', {
-    const result = new CustomResource(this, 'GetDomainListCustomResource', {
+    const resource = new CustomResource(this, 'GetDomainListCustomResource', {
-    const result = new CustomResource(this, 'GetDomainListCustomResource', {
+    const resource = new CustomResource(this, 'GetDomainListCustomResource', {
+      resourceType: GET_MANAGED_DOMAIN_LIST_TYPE,
+      serviceToken: provider.serviceToken,
+      properties: {
+        DomainListName: props.managedDomainList,
+      },
+    });
+
+    this.firewallDomainListId = result.getAttString('DomainListId');
-    this.firewallDomainListId = result.getAttString('DomainListId');
+    this.firewallDomainListId = resource.getAttString('DomainListId');
-    this.firewallDomainListId = result.getAttString('DomainListId');
+    this.firewallDomainListId = resource.getAttString('DomainListId');
+  }
+}
+
+/**
+ * Managed Domain Lists
+ *
+ * @see https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html
+ */
+export enum ManagedDomain {
+  /**
+   * Domains associated with multiple DNS threat categories including malware, ransomware, botnet, spyware,
+   * and DNS tunneling to help block multiple types of threats.
+   * Includes the `AmazonGuardDutyThreatList.`
-   * and DNS tunneling to help block multiple types of threats.
-   * Includes the `AmazonGuardDutyThreatList.`
+   * and DNS tunneling to help block multiple types of threats.
+   *
+   * Includes the `AmazonGuardDutyThreatList`.
-   * and DNS tunneling to help block multiple types of threats.
-   * Includes the `AmazonGuardDutyThreatList.`
+   * and DNS tunneling to help block multiple types of threats.
+   *
+   * Includes the `AmazonGuardDutyThreatList`.
+   */
+  AGGREGATE_THREAT_LIST = 'AWSManagedDomainsAggregateThreatList',
+
+  /**
+   * Domains associated with Amazon GuardDuty DNS security findings.
+   * The domains are sourced from the GuardDuty's threat intelligence systems only,
-   * Domains associated with Amazon GuardDuty DNS security findings.
-   * The domains are sourced from the GuardDuty's threat intelligence systems only,
+   * Domains associated with Amazon GuardDuty DNS security findings.
+   *
+   * The domains are sourced from the GuardDuty's threat intelligence systems only,
-   * Domains associated with Amazon GuardDuty DNS security findings.
-   * The domains are sourced from the GuardDuty's threat intelligence systems only,
+   * Domains associated with Amazon GuardDuty DNS security findings.
+   *
+   * The domains are sourced from the GuardDuty's threat intelligence systems only,
+   * and do not contain domains sourced from external third-party sources.
+   */
+  AMAZON_GUARDDUTY_THREAT_LIST = 'AWSManagedDomainsAmazonGuardDutyThreatList',
+
+  /**
+   * Domains associated with controlling networks of computers that are infected with spamming malware.
+   */
+  BOTNET_COMMANDAND_CONTROL = 'AWSManagedDomainsBotnetCommandandControl',
+
+  /**
+   * Domains associated with sending malware, hosting malware, or distributing malware.
+   */
+  MALWARE_DOMAIN_LIST = 'AWSManagedDomainsMalwareDomainList',
+}
diff --git a/packages/@aws-cdk/aws-route53resolver-alpha/lib/index.ts b/packages/@aws-cdk/aws-route53resolver-alpha/lib/index.ts
@@ -1,4 +1,5 @@
 export * from './firewall-domain-list';
+export * from './firewall-managed-domain-list';
 export * from './firewall-rule-group';
 export * from './firewall-rule-group-association';
 

diff --git a/packages/@aws-cdk/aws-route53resolver-alpha/package.json b/packages/@aws-cdk/aws-route53resolver-alpha/package.json
@@ -85,6 +85,7 @@
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
+    "@aws-cdk/integ-tests-alpha": "0.0.0",
     "@types/jest": "^29.5.5",
     "aws-cdk-lib": "0.0.0",
     "constructs": "^10.0.0"

diff --git a/packages/@aws-cdk/aws-route53resolver-alpha/test/firewall-managed-domain-list.test.ts b/packages/@aws-cdk/aws-route53resolver-alpha/test/firewall-managed-domain-list.test.ts
@@ -0,0 +1,44 @@
+import { Template } from 'aws-cdk-lib/assertions';
+import { Stack } from 'aws-cdk-lib';
+import { FirewallManagedDomainList, ManagedDomain } from '../lib';
+
+let stack: Stack;
+beforeEach(() => {
+  stack = new Stack();
+});
+
+test('importing managed domain list creates custom resource', () => {
+  // WHEN
+  new FirewallManagedDomainList(stack, 'List', {
+    managedDomainList: ManagedDomain.MALWARE_DOMAIN_LIST,
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('Custom::Route53ResolverManagedDomainList', {
+    DomainListName: 'AWSManagedDomainsMalwareDomainList',
+  });
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
+    ManagedPolicyArns: [
+      {
+        'Fn::Sub': 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
+      },
+    ],
+    Policies: [
+      {
+        PolicyName: 'Inline',
+        PolicyDocument: {
+          Version: '2012-10-17',
+          Statement: [
+            {
+              Effect: 'Allow',
+              Action: ['route53resolver:ListFirewallDomainLists'],
+              Resource: '*',
+            },
+          ],
+        },
+      },
+    ],
+  });
+  Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {});
-  Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {});
+  Template.fromStack(stack).resourceCountIs('AWS::Lambda::Function', 1);
-  Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {});
+  Template.fromStack(stack).resourceCountIs('AWS::Lambda::Function', 1);
+});
+
diff --git a/...er-alpha/test/integ.firewall.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json b/...er-alpha/test/integ.firewall.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json
diff --git a/...-alpha/test/integ.firewall.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.template.json b/...-alpha/test/integ.firewall.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.template.json
diff --git a/....snapshot/asset.0657aae65aeb2f81552ea75da77c0976cb56ddfe104b472760ff542699a04040/index.js b/....snapshot/asset.0657aae65aeb2f81552ea75da77c0976cb56ddfe104b472760ff542699a04040/index.js
diff --git a/...3resolver-alpha/test/integ.firewall.js.snapshot/cdk-route53-resolver-firewall.assets.json b/...3resolver-alpha/test/integ.firewall.js.snapshot/cdk-route53-resolver-firewall.assets.json