Skip to main content

πŸ›‘οΈ AWS Network Firewall Subnet Change Protection is not enabled🟒

  • Contextual name: πŸ›‘οΈ Firewall Subnet Change Protection is not enabled🟒
  • ID: /ce/ca/aws/network-firewall/firewall-subnet-change-protection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS Network Firewalls that do not have Subnet Change Protection enabled.

Rationale​

AWS Network Firewall deploys endpoints in specific subnets to inspect network traffic. If these subnets are modified or removed without proper coordination, the firewall may become unreachable, or VPC traffic routing may fail, resulting in service disruption or downtime.

Enabling Subnet Change Protection acts as a safeguard by preventing unintended modifications to the firewall’s subnet associations. Changes to the firewall’s network configuration require that the protection be explicitly disabled, ensuring that subnet updates are intentional and controlled.

Audit​

This policy flags an AWS NetworkFirewall Firewall as INCOMPLIANT if the Subnet Change Protection field is set to false.

Firewalls that are not in READY Status are marked as INAPPLICABLE.

Remediation​

Open File

Remediation​

Enable Subnet Change Protection for the Firewall​

To prevent accidental or unauthorized modifications to the firewall’s subnet associations, enable Subnet Change Protection.

From Command Line​

Run the following command to enable subnet change protection:

aws network-firewall update-subnet-change-protection \
    --firewall-arn {{firewall-arn}} \
    --subnet-change-protection

Once enabled, any attempt to modify the firewall’s subnet associations requires that subnet change protection be explicitly disabled first.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration61no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3137no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)437no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)36no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)337no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)221no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events168no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked41no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks43no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration736no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81737no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy16no data