Ensure Network firewall have policy change protection enabled
The network firewall helps you protect your VPC. Set policy change protection to protect against accidental modification of the firewall policy.
Risk Level: High
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.AWS.NET.64
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
NetworkFirewall should have firewallPolicyChangeProtection=true
REMEDIATION
From TF
resource "aws_networkfirewall_firewall" "example" {
- firewall_policy_change_protection = false
+ firewall_policy_change_protection = true
}
From Command Line
In order to set Networks firewall PolicyChangeProtection to TRUE, use to following CLI command:
aws network-firewall update-firewall-policy-change-protection --region REGION_NAME --firewall-name FIREWALL_NAME --firewall-policy-change-protection
Note: The flag --firewall-policy-change-protection will set the policy change protection to TRUE.
References
- https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_UpdateFirewallPolicyChangeProtection.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-firewall-policy-change-protection.html
AWS Network-Firewall
AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).AWS Network Firewall���s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated about 1 year ago