Ensure Network firewall resides in a dedicated subnet
The network firewall protects the availability zone where it resides. It is the gate to your AZ, and therefore should be alone in a small and dedicated subnet. You should not place other applications in a subnet where a firewall resides, because the network firewall can't filter traffic coming into or going out from that subnet.
Risk Level: Medium
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.AWS.NET.65
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
NetworkFirewall should have subnetMappings contain-all [getResource('Subnet', subnetId) contain [cidr numberOfHosts() <=15]]
REMEDIATION
From Command Line
To set Networks firewall in a new subnet, you should create a small subnet in the availability zone where you want the network firewall.
- Afterwards, you need to temporary disable subnet change protection with the following CLI command:
aws network-firewall update-subnet-change-protection --firewall-arn FW_ARN --no-subnet-change-protection
Note: The flag --no-subnet-change-protection will set the subnet change protection to FALSE.
- Use below command to associate the network firewall with the new subnet:
aws network-firewall associate-subnets --firewall-arn FW_ARN --subnet-mappings SubnetId= SUBNET_ID
- Use below command to disassociate the previous subnet from the network firewall:
aws network-firewall disassociate-subnets --firewall-arn FW_ARN --subnet-ids SUBNET_ID
Note: Dont forget to enable subnet change protection when you finish:
aws network-firewall update-subnet-change-protection --firewall-arn FW_ARN --subnet-change-protection
References
- https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-vpc.html
- https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-subnet-change-protection.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/associate-subnets.html
AWS Network-Firewall
AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).AWS Network Firewall���s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago