Ensure Network firewall resides in a dedicated subnet

The network firewall protects the availability zone where it resides. It is the gate to your AZ, and therefore should be alone in a small and dedicated subnet. You should not place other applications in a subnet where a firewall resides, because the network firewall can't filter traffic coming into or going out from that subnet.

Risk Level: Medium
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.TF.AWS.NET.65
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

aws_networkfirewall_firewall should have subnet_mapping contain-all [getResource('aws_subnet',subnet_id) with [cidr_block numberOfHosts() <=15]]

REMEDIATION

To set Networks firewall in a new subnet, you should create a small subnet in the availability zone where you want the network firewall.
afterward, you will need to temporary disable subnet change protection with the following CLI command:

  1. aws network-firewall update-subnet-change-protection --firewall-arn <FW arn> --no-subnet-change-protection
    The flag --no-subnet-change-protection will set the subnet change protection to FALSE.

  2. associate the network firewall with the new subnet:
    aws network-firewall associate-subnets --firewall-arn <FW arn> --subnet-mappings SubnetId=<Subnet ID>

  3. disassociate the previous subnet from the network firewall:
    aws network-firewall disassociate-subnets --firewall-arn <FW arn> --subnet-ids <Subnet ID>

Don't forget to enable subnet change protection when you finish:
aws network-firewall update-subnet-change-protection --firewall-arn <FW arn> --subnet-change-protection

For more information: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-vpc.html
Architectures examples:
https://docs.aws.amazon.com/network-firewall/latest/developerguide/architectures.html
https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall
CLI:

  1. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-subnet-change-protection.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/associate-subnets.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/disassociate-subnets.html

AWS Network-Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act

Compliance Frameworks

  • Terraform AWS CIS Foundations