Skip to main content

πŸ›‘οΈ AWS Network Firewall Delete Protection is not enabled🟒

  • Contextual name: πŸ›‘οΈ Firewall Delete Protection is not enabled🟒
  • ID: /ce/ca/aws/network-firewall/firewall-delete-protection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS Network Firewalls that do not have Delete Protection enabled.

Rationale​

AWS Network Firewall often serves as a critical control point for network traffic entering or leaving a VPC. Accidental deletion of a firewall can result in significant operational and security risks, including:

  1. Traffic Disruption: If routing configurations continue to reference firewall endpoints that no longer exist, network traffic may be disrupted or fail entirely.
  2. Security Gaps: If the firewall is removed and traffic is allowed to bypass inspection due to routing behavior, network traffic may flow without enforcement, increasing exposure to malicious or unauthorized activity.

Enabling Delete Protection introduces an additional safeguard by requiring explicit action to disable the protection before a firewall can be deleted, reducing the risk of accidental or unauthorized removal.

Audit​

This policy flags an AWS NetworkFirewall Firewall as INCOMPLIANT if the Delete Protection field is set to false.

... see more

Remediation​

Open File

Remediation​

Enable Delete Protection for the Firewall​

To prevent accidental or unauthorized deletion, enable Delete Protection on the AWS Network Firewall.

From Command Line​

Run the following command to enable delete protection:

aws network-firewall update-firewall-delete-protection \
    --firewall-arn {{firewall-arn}} \
    --delete-protection-enabled

Once enabled, delete protection must be explicitly disabled before the firewall can be deleted.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration61no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3137no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)437no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)36no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)337no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)221no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events168no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked41no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks43no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration736no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81737no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy16no data