Skip to main content

πŸ›‘οΈ AWS Network Firewall Rule Group Stateless Rules are empty🟒

  • Contextual name: πŸ›‘οΈ Rule Group Stateless Rules are empty🟒
  • ID: /ce/ca/aws/network-firewall/rule-group-stateless-rules
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS Network Firewall Stateless Rule Groups that are empty and contain no defined rules.

Rationale​

AWS Network Firewall stateless rule groups are designed to perform filtering based on source IP, source port, destination IP, destination port, and protocol. When a stateless rule group is associated with a firewall policy but contains no rules, it provides no effective security control. Empty rule groups may create a false sense of protection and unnecessarily complicate firewall configurations, making them more difficult to manage, audit, and maintain.

Audit​

This policy flags an AWS NetworkFirewall Rule Group with a STATELESS Type as INCOMPLIANT if its Stateless Rules list is empty.

STATEFUL Rule Groups and Rule Groups that are not in ACTIVE Rule Group Status are marked as INAPPLICABLE.

Remediation​

Open File

Remediation​

Add Functional Rules to the Stateless Rule Group​

To ensure that a stateless rule group provides effective traffic filtering, add one or more functional stateless rules. Stateless rule groups without rules do not enforce any security controls and should be updated or removed.

From Command Line​

When updating a stateless rule group, you must provide the current UpdateToken to prevent conflicting updates.

First, retrieve the current update token for the rule group:

aws network-firewall describe-rule-group \
    --rule-group-arn {{rule-group-arn}} \
    --query UpdateToken \
    --output text

Next, update the stateless rule group by adding at least one stateless rule:

aws network-firewall update-rule-group \
    --update-token {{update-token}} \
    --rule-group-arn {{rule-group-arn}} \
    --rule-group '{
        "RulesSource": {
            "StatelessRulesAndCustomActions": {
                "StatelessRules": [
                    {
                        "Priority": 100,
                        "RuleDefinition": {

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.6] Stateless Network Firewall rule group should not be empty1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration61no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1158no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10877no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)19no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(21) Isolation of System Components (H)33no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)45no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)58no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)763no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)19no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected178no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected154no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected174no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage116no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3758no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29484no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception419no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic33no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(16) Boundary Protection _ Prevent Discovery of System Components34no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(21) Boundary Protection _ Isolation of System Components33no data