π‘οΈ AWS Network Firewall Policy Stateless Default Action is not Drop or Forwardπ’
- Contextual name: π‘οΈ Policy Stateless Default Action is not Drop or Forwardπ’
- ID:
/ce/ca/aws/network-firewall/policy-default-stateless-action - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets
- AWS Security Hub: [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
Descriptionβ
Descriptionβ
This policy identifies AWS Network Firewall Policies where the default action for stateless traffic, packets that do not match any configured stateless rules, is set to Pass.
Rationaleβ
In AWS Network Firewall, stateless rules are evaluated before stateful rules. When a packet does not match any stateless rule, the firewall applies the configured Stateless Default Action:
- aws:drop: Blocks the traffic.
- aws:forward_to_sfe: Forwards the traffic to the stateful engine for deeper inspection, such as signature-based detection and domain filtering.
- aws:pass: Allows the traffic to reach its destination without additional inspection.
Configuring the stateless default action as Pass introduces a security gap by allowing unmatched traffic to bypass both stateless controls and the stateful inspection engine. This may result in insufficient enforcement of network security policies.
Impactβ
Malicious or unauthorized traffic may enter the network if stateless rules do not explicitly account for all unwanted traffic patterns.
... see more
Remediationβ
Remediationβ
Update the Stateless Default Actionβ
To prevent stateless traffic from bypassing inspection, update the AWS Network Firewall policy to use a secure stateless default action, such as forwarding unmatched traffic to the stateful engine.
From Command Lineβ
When updating a firewall policy, you must provide the current
UpdateTokento avoid conflicting changes.First, retrieve the current update token:
aws network-firewall describe-firewall-policy \
--firewall-policy-arn {{firewall-policy-arn}} \
--query UpdateToken \
--output textNext, update the firewall policy to set secure stateless default actions:
aws network-firewall update-firewall-policy \
--update-token {{update-token}} \
--firewall-policy-arn {{firewall-policy-arn}} \
--firewall-policy '{
"StatelessDefaultActions": ["aws:forward_to_sfe"],
"StatelessFragmentDefaultActions": ["aws:forward_to_sfe"]
}'Alternatively, you may use
aws:dropto block unmatched stateless traffic, depending on your security requirements.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets | 1 | no data | |||
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ System Configuration | 61 | no data | |||
| πΌ FedRAMP High Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 3 | 1 | 37 | no data | |
| πΌ FedRAMP Low Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 36 | no data | |||
| πΌ FedRAMP Moderate Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 3 | 37 | no data | ||
| πΌ NIST SP 800-53 Revision 5 β πΌ CA-9(1) Internal System Connections _ Compliance Checks | 43 | no data | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ CM-2 Baseline Configuration | 7 | 36 | no data |