Ensure Network firewall resides in a dedicated subnet
The network firewall protects the availability zone where it resides. It is the gate to your AZ, and therefore should be alone in a small and dedicated subnet. You should not place other applications in a subnet where a firewall resides, because the network firewall can't filter traffic coming into or going out from that subnet.
Risk Level: Medium
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.TF.AWS.NET.65
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
aws_networkfirewall_firewall should have subnet_mapping contain-all [getResource('aws_subnet',subnet_id) with [cidr_block numberOfHosts() <=15]]
REMEDIATION
To set Networks firewall in a new subnet, you should create a small subnet in the availability zone where you want the network firewall.
afterward, you will need to temporary disable subnet change protection with the following CLI command:
-
aws network-firewall update-subnet-change-protection --firewall-arn <FW arn> --no-subnet-change-protection
The flag --no-subnet-change-protection will set the subnet change protection to FALSE. -
associate the network firewall with the new subnet:
aws network-firewall associate-subnets --firewall-arn <FW arn> --subnet-mappings SubnetId=<Subnet ID> -
disassociate the previous subnet from the network firewall:
aws network-firewall disassociate-subnets --firewall-arn <FW arn> --subnet-ids <Subnet ID>
Dont forget to enable subnet change protection when you finish:
aws network-firewall update-subnet-change-protection --firewall-arn <FW arn> --subnet-change-protection
For more information: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-vpc.html
Architectures examples:
https://docs.aws.amazon.com/network-firewall/latest/developerguide/architectures.html
https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall
CLI:
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-subnet-change-protection.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/associate-subnets.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/disassociate-subnets.html
AWS Network-Firewall
AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).AWS Network Firewall���s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act
Compliance Frameworks
- Terraform AWS CIS Foundations
Updated over 1 year ago