Risk Level: High
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.TF.AWS.NET.62
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

aws_networkfirewall_firewall should have delete_protection=true

REMEDIATION

In order to set Networks firewall delete protection to TRUE, use the following CLI command:
aws network-firewall update-firewall-delete-protection --firewall-arn <FW arn> --delete-protection
The flag --delete-protection will set the deletion protection to TRUE.

Note: The firewall deletion process through the console disables this protection, Therefore it is not shown in the console.
Through the API, you must explicitly disable delete protection before you can delete the firewall.

From TF

resource "aws_networkfirewall_firewall" "example" {
	- delete_protection = false
	+ delete_protection = true
}

For more information: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-settings.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-firewall-delete-protection.html

AWS Network-Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act

Compliance Frameworks

Terraform AWS CIS Foundations