Guides
Start typing to search…

Ensure Network firewall resides in a dedicated subnet

The network firewall protects the availability zone where it resides. It is the gate to your AZ, and therefore should be alone in a small and dedicated subnet. You should not place other applications in a subnet where a firewall resides, because the network firewall can't filter traffic coming into or going out from that subnet.

Risk Level: Medium
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.AWS.NET.65
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

NetworkFirewall should have subnetMappings contain-all [getResource('Subnet', subnetId) contain [cidr numberOfHosts() <=15]]

REMEDIATION

From Command Line
To set Networks firewall in a new subnet, you should create a small subnet in the availability zone where you want the network firewall.

  1. Afterwards, you need to temporary disable subnet change protection with the following CLI command:
aws network-firewall update-subnet-change-protection --firewall-arn FW_ARN --no-subnet-change-protection

Note: The flag --no-subnet-change-protection will set the subnet change protection to FALSE.

  1. Use below command to associate the network firewall with the new subnet:
aws network-firewall associate-subnets --firewall-arn FW_ARN --subnet-mappings SubnetId=SUBNET_ID
  1. Use below command to disassociate the previous subnet from the network firewall:
aws network-firewall disassociate-subnets --firewall-arn FW_ARN --subnet-ids SUBNET_ID

Note: Dont forget to enable subnet change protection when you finish:

aws network-firewall update-subnet-change-protection --firewall-arn FW_ARN --subnet-change-protection

References

  1. https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-vpc.html
  2. https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-subnet-change-protection.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/associate-subnets.html

AWS Network-Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). AWS Network Firewall's flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset

Updated 27 days ago