The documentation for the rules_source block of an aws_networkfirewall_rule_group says of the rules_string argument:
The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string.
I see no reference in the API documentation from AWS regarding the use of a file in an S3 bucket for the value for RulesString. However, the CLI documentation does mention it, as follows:
You can provide the rules from a file that you’ve stored in an Amazon S3 bucket, or by providing the rules in a Suricata rules string. To import from Amazon S3, provide the fully qualified name of the file that contains the rules definitions.
I have tried using an S3 URI, and an ARN to an S3 object, but back an error message stating that the “stateful rule is invalid” for “reason: Illegal rule syntax.”
Is it really possible to use the “fully qualified name of a file in an S3 bucket” as the value for rules_string and, if so, can someone provide an example?