Remediation
Associate the Network Firewall Policy with a Rule Groupβ
To ensure effective traffic inspection and enforcement, associate the AWS Network Firewall policy with at least one stateless or stateful rule group.
From Command Lineβ
When updating a firewall policy, you must supply the current UpdateToken to avoid conflicting updates.
First, retrieve the current update token:
aws network-firewall describe-firewall-policy \
--firewall-policy-arn {{policy-arn}} \
--query UpdateToken \
--output text
Associate a Stateless Rule Groupβ
aws network-firewall update-firewall-policy \
--update-token {{update-token}} \
--firewall-policy-arn {{firewall-policy-arn}} \
--firewall-policy '{
"StatelessRuleGroupReferences": [
{
"ResourceArn": "{{stateless-rule-group-arn}}",
"Priority": 100
}
]
}'
Associate a Stateful Rule Groupβ
aws network-firewall update-firewall-policy \
--update-token {{update-token}} \
--firewall-policy-arn {{firewall-policy-arn}} \
--firewall-policy '{
"StatefulRuleGroupReferences": [
{
"ResourceArn": "{{stateful-rule-group-arn}}",
"Priority": 100
}
]
}'