Ensure Network firewall have subnet change protection enabled
The network firewall helps you protect your VPC. Set subnet change protection to protect against accidental modification of the subnet associations, which might expose a protected subnet.
Risk Level: High
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.TF.AWS.NET.63
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
aws_networkfirewall_firewall should have subnet_change_protection=true
REMEDIATION
In order to set Networks firewall SubnetChangeProtection to TRUE, use to following CLI command:
aws network-firewall update-subnet-change-protection --firewall-arn <FW arn> --subnet-change-protection
The flag --subnet-change-protection will set the subnet change protection to TRUE.
From TF
resource "aws_networkfirewall_firewall" "example" {
- subnet_change_protection = false
+ subnet_change_protection = true
}
For more information: https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_UpdateSubnetChangeProtection.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-subnet-change-protection.html
AWS Network-Firewall
AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).AWS Network Firewall���s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act
Compliance Frameworks
- Terraform AWS CIS Foundations
Updated about 1 year ago