π‘οΈ AWS Network Firewall Policy is not associated with a rule groupπ’
- Contextual name: π‘οΈ Policy is not associated with a rule groupπ’
- ID:
/ce/ca/aws/network-firewall/policy-rule-group-association - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
Descriptionβ
Descriptionβ
This policy identifies AWS Network Firewall Policies that are not associated with at least one stateless or stateful rule group.
Rationaleβ
An AWS Network Firewall policy serves as a container for stateless and stateful rule groups. While the policy defines default actions, such as how traffic is handled when no rules match, the actual inspection, filtering, and enforcement logic is implemented within the rule groups themselves. A firewall policy without any associated rule groups provides minimal security value and may indicate an incomplete or misconfigured firewall setup, potentially allowing network traffic to pass without proper inspection or control.
Auditβ
This policy flags an AWS NetworkFirewall Firewall Policy as
INCOMPLIANTif it is not associated with at least one AWS Network Firewall Rule Group.Firewall Policies that are not in ACTIVE
Firewall Policy Statusare marked asINAPPLICABLE.
Remediationβ
Remediationβ
Associate the Network Firewall Policy with a Rule Groupβ
To ensure effective traffic inspection and enforcement, associate the AWS Network Firewall policy with at least one stateless or stateful rule group.
From Command Lineβ
When updating a firewall policy, you must supply the current
UpdateTokento avoid conflicting updates.First, retrieve the current update token:
aws network-firewall describe-firewall-policy \
--firewall-policy-arn {{policy-arn}} \
--query UpdateToken \
--output textAssociate a Stateless Rule Groupβ
aws network-firewall update-firewall-policy \
--update-token {{update-token}} \
--firewall-policy-arn {{firewall-policy-arn}} \
--firewall-policy '{
"StatelessRuleGroupReferences": [
{
"ResourceArn": "{{stateless-rule-group-arn}}",
"Priority": 100
}
]
}'Associate a Stateful Rule Groupβ
aws network-firewall update-firewall-policy \
--update-token {{update-token}} \
... [see more](remediation.md)
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [NetworkFirewall.3] Network Firewall policies should have at least one rule group associated | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ System Configuration | 61 | no data | |||
| πΌ FedRAMP High Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 3 | 1 | 37 | no data | |
| πΌ FedRAMP Low Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 36 | no data | |||
| πΌ FedRAMP Moderate Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 3 | 37 | no data | ||
| πΌ NIST SP 800-53 Revision 5 β πΌ CA-9(1) Internal System Connections _ Compliance Checks | 43 | no data | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ CM-2 Baseline Configuration | 7 | 36 | no data |